digg

Facebook Connect Join Digg About

Hardening OS X - A more secure OS X before Leopard.

blog.cocoia.com I've made a how-to from tips by Jay Beale on the last DEFCON Security conference and some own security tweaks to improve the overall security of your OS X. Make sure some default settings that can allow for vulnerabilities are set properly, and tune your firewall rules. A more advanced follow-up is coming soon.

Who dugg this? Made popular Mar 11, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

61 Comments

show profanity settings
expand all
  • robdazomba, on 10/12/2007, -2/+34> non admin is a user with no sudo access...

    I'm a Windows user but I'm considering a jump to OS X (maybe with the next rev of Apple machines.) One of the really nice touches I've seen in tinkering with OS X is that, even with a non-admin account, the OS prompts you for an admin account login and password if you want to do something outside the bounds of a regular account. That's such a simple idea but pure genius.
  • dragonflight, on 10/12/2007, -5/+27I sincerely hope that was supposed to be dripping with sarcasm.
  • trghpy, on 10/12/2007, -0/+16"- if you have a hardware firewall, you don't need to turn on the software one"
    Should be ignored by anyone using wireless, or behind improperly configured router, or those who allow others to be on their network.
  • fanboydcs, on 10/12/2007, -1/+16root and admin on a mac are not the same thing

    root = root

    admin = normal user with sudo access...

    non admin is a user with no sudo access...
  • GregR, on 10/12/2007, -3/+14Some good tips here, but:
    - if you have your account set up the way you want, then create a new user as advised here but make that the admin one (just don't call it admin or similar), put a good password on it and then make your user a 'normal' user.
    - if you have a hardware firewall, you don't need to turn on the software one
  • furyg3, on 10/12/2007, -1/+9Here's a guide that the NSA put together for Hardening OS X (Panther). It's a bit old, but most of the points apply to 10.4.

    http://www.nsa.gov/snac/downloads_macX.cfm
  • newbill123, on 10/12/2007, -0/+8I think the author overlooked the well worn advice to turn off the "Open 'safe' files after downloading" option in Safari's preferences. Most of the potential harm I hear about on the Mac are people exploiting this option by disguising something as a safe file.
  • MonkeyFarts, on 10/12/2007, -0/+8I believe the word you're looking for is abysmal. But how can you possibly believe that _any_ os has a horrible security track record compared to Windows? I mean, you are joking, right? As Angostura above me said, that chart (where does it even come from? who made it?) does not say much of anything because of the fact that many vulnerabilities go unpatched for Windows; probably a lot more than what goes unpatched for OS X. I'm not saying that OS X is perfect by any means. It's just that statistics don't prove anything if there is no evidence backing them up.
  • trghpy, on 10/12/2007, -1/+8good write up.

    Now feel vulnerable every time i use my blue tooth phone to get online.
  • caliform, on 10/12/2007, -0/+7Not entirely true, well, true, but in some cases not. Some people may use the DMZ feature on their router, to allow traffic on all ports (i.e. when using P2P), or simply portfoward broad ranges of ports. Some of the suggestions help protect against exploits in things like CUPS. Otherwise, absolutely true. And thanks a lot for the extra input, I will add it! (with credit, natch ;))
  • Angostura, on 10/12/2007, -0/+5Interesting stats. One thing that is missing from the stats however (you can do the query here http://nvd.nist.gov/statistics.cfm) is the length of time to patch. So for example, I believe that there are several zero day exploits still unpatched in XP, but non in OS X> I could be wrong of course.

    I'll digg you up because you bring interesting information to light.
  • ElectricSoup, on 10/12/2007, -1/+6"... tune your firewall rules."

    It is possible to change the ipfw firewall rules to suit one's particular purposes, but one needs to be aware that if one does the firewall can no longer be controlled from the GUI. That's fine for those who are happy at the CLI. Others might want to think twice.

    The obvious sources of information for configuring Mac OS X:

    http://images.apple.com/server/pdfs/Tiger_Server_Security_Config_021507.pdf

    http://images.apple.com/server/pdfs/Tiger_Security_Config_021507.pdf
  • DaffyDuck, on 10/12/2007, -0/+4I guess there are different ways to look at it. A vulnerability is only a problem if it gets exploited.
  • TonyCubed, on 10/12/2007, -3/+7Want a safe Operating System? Unplug the internet. :P
  • caliform, on 10/12/2007, -0/+3What I thought is incredibly cool is that in that document, they go on about camera's and microphones, and ensuring they are disabled. Pure genius. I will touch more on that document on my follow-up.
  • trghpy, on 10/12/2007, -2/+5Oh just to remind people...
    Change your default password on your firewall or a javascript hack will change it for you.
  • nandabanaotakun, on 10/12/2007, -0/+2Funny; this article made my computer less secure by telling me that my secure virtual memory setting is slowing performance.
  • konstantinos88, on 10/12/2007, -0/+2@gregr

    You got edited into the article!!
  • caliform, on 10/12/2007, -0/+2Eya ElectricSoup, I made sure to state carefully that these tips can break things like Internet Sharing, Bonjour services, etc. But I think people are smart enough to simply disable the firewall when they feel like it is safe enough to do so. Good point made.
  • aristotle0dude, on 10/12/2007, -0/+2All you need is to regularly run the software updates and a hardware firewall. You can even set it to download updates in the background.

    Disabling the ability for any random Bluetooth device to pair with your mac is a good idea too. I turn BT off when I'm not using it.
  • caliform, on 10/12/2007, -0/+2Errr? Sorry, but Firmware passwords are more suited for securing your computer the hardware way. If you are concerned that someone may fiddle with your Firmware and it's settings, you might need a whole different security guide. I'm trying to harden, aka, break future exploits, on your Mac, the great majority being remote internet exploits.
  • pinkgreenblue, on 10/12/2007, -1/+3Why wouldn't the account be named "admin"? I'm not being rude, this is a legitimate question.
  • ilgaz, on 10/12/2007, -0/+2(of course I forgot I was replying to a comment on digg.com)
  • ilgaz, on 10/12/2007, -3/+5Normal, non fanboy Mac users are interested in securing their computer, you can easily see from download numbers of security software at versiontracker.com

    The issue with non fanboys is: Symantec or some other company shows a NON propongating, not in the Wild virus (!) and adds PR crap at bottom of article and hopeless Unix nerds, Windows fanboys using it as a reference to claim Macs are insecure and users are stupid. That is what would make any sane person mad too. Doesn't need to be fanatic.
  • MacParrot, on 10/12/2007, -0/+2Rob,
    Don't bother blocking him. He isn't bright enough to be worth the effort
  • frozendice, on 10/12/2007, -1/+2Get Little Snitch

    Set an open firmware password and change the security setting to where you can't boot cds.

    For the terminal users, enable “Secure Keyboard Entry” via File menu.

    !!!! Turn on 'Secure Virtual Memory' in the Security pane of System Preferences, enable file vault or create a dmg to keep important stuff in.


    Turn off Automaticly Login and under "login options" select name and password.

    Enable firewall logging, block UDP traffic, and enable stealth mode via “Advanced” options after you enable firewall.

    Gmail settings incoming:pop.gmail.com outgoing:smtp.gmail.com USE SSL!

    SECURITY SETTINGS: MUST BE DONE FIRST BEFORE CONNECTING TO INTERNET
    Turn on firewasll(not on by default), and disable any services running.

    set software update to daily!

    require admin pass to create computer to computer networks

    Change master keychain pass from login.

    Of course don't run as an admin all the time.
  • dvgraphics, on 10/12/2007, -1/+2FileVault is the most dangerous thing built into OS X. I've seen more data become corrupted and locked in it's own FileVault hell because some minor thing happened.
  • ilgaz, on 10/12/2007, -0/+1There were some GUI configurators for ipfw configuration. Simple ones are freeware/donationware and more advanced ones are payware.

    I mean if you don't want to buy a GUI firewall like Netbarrier and use built in ipfw easily.
  • Angostura, on 10/12/2007, -0/+1MonkeyFarts.

    The stats are legit and are graphed from the same place as I gave (the source is written on the graph) it's Homeland Security/CERT's national vulnerability database. I was surprised by the stats. Just because the guy has a spelling problem and has flamesque tendencies doesn't mean that the stats aren't right.
  • robdazomba, on 10/12/2007, -2/+3Add "getting blocked" to that list.
  • VhaidraU, on 10/12/2007, -1/+2I had done this on my last Mac, but forgot about this on my latest Mac, so I thank you for the reminder.
  • dbr_onix, on 10/12/2007, -1/+2As it stands, yes, OS X is "secure", and the fact it ships with no listening services running unless you specifically enable them, it doesn't run as an the root user, and that Apple are generally pretty good at releasing patches, with an update notifier far more noticeable than Window's (I've seen many computers where people just ignore the little yellow shield, or it's hidden by the "Hide inactive sys-tray icons" settings).
    But, one of the most common ways of infecting computers is currently (Well, "still") the "thisisnotatrojan.jpg.exe" method (Tricking people into running evil executables), which is more than possible on OS X, and given that most OS X machines don't have a virus scanner (unlike most WinXP machines sold in the last few years), such attacks are only really not a problem because the relatively small number of Mac's that are around currently..

    Anyway, this guide is not bad, don't really see how blocking UDP traffic will help security, and Tor really isn't any good for "securing" a machine, if you login to anything which you've signed up for without using Tor, or post any personal information, it's anonymizing-values are lost, using it on a laptop at an open-access point/public network makes more sense, but something like Hamachi, or SSH-tunneling would be a lot faster.
  • caliform, on 10/12/2007, -0/+1The follow-up is now availible.
  • cmv0, on 10/12/2007, -2/+3Saying Vista (or any Windows) is more stable, secure, or better than Mac is like saying a chihuahua can take on a pitbull.
  • krayzee911, on 10/12/2007, -0/+1Good tips, but I can't read any further than the first page. The whole "I'm a douchebag and you're just a stupid pitful user" tone in the writing turned me off from reading further.
  • gresmi, on 10/12/2007, -0/+1A quick glance over the comments show that this hasn't come up, but security firm Corsair (not the memory makers) have a great white paper on securing Tiger:

    http://research.corsaire.com/whitepapers/060517-securing-mac-os-x-tiger.pdf

    There is another one on Panther here:

    http://research.corsaire.com/whitepapers/040622-securing-mac-os-x.pdf
  • Advocate, on 10/12/2007, -0/+1even the OF PW can be broken by the ram trick... unless you also padlock your case :)
    ...and a bolt cutter would fix that! arg!
  • MeatFlaps, on 10/12/2007, -0/+1My god do I hate the white text on a black background. It makes my eyes go crazy. Nice article though.
  • frozendice, on 10/12/2007, -0/+1What the HECK?! This is "hardening" OS X? This is pitiful! He didn't even mention the OBVIOUS FIRMWARE PASSWORD CHANGE. I'll see if I can find my OS X hardening list I made on my last reinstall.
  • masskurec, on 03/01/2009, -0/+0osx and security? this must be a joke

    http://xpweak.net
  • ilgaz, on 10/12/2007, -1/+1@Caliform there are many windows trojans in the wild which CAN enable Camera/Microphone remotely via Software. About OS X? Well you can't know that. If a person got root access to your machine, he can of course enable it via software (e.g. commands) too.
  • mmmgood, on 10/12/2007, -3/+2Pitiful article. No digg.
  • KyjL, on 10/12/2007, -5/+4OH MY GOD MY EYES ARE BURNING FROM THE WHITE-ON-BLACK LAYOUT
  • ilgaz, on 10/12/2007, -2/+1Stealth mode is really, really needless especially on OS X. More info at:

    http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#stealth

    It is a windows paranoid mode which has nothing to do with OS X. In fact, an up to date and normally firewalled (non stealth) Windows with antivirus doesn't need "Stealth"' too.

    The idea is, you shouldn't have any ports which serves something (not NTP client) OPEN (not invisible) to outside World. Blocking UDP traffic will create nightmare on live audio/video streaming/online games too.

    FYI, Intego sells a $70 firewall "Netbarrier X4" and they don't enable stealth by default alerting it may create problems with ISP/Network.
  • cmv0, on 10/12/2007, -3/+1I think i might try that, then i will have the most secure computer in the neighborhood. [/sarcasm]
  • inactive, on 10/12/2007, -5/+3Nice writeup.
  • aristotle0dude, on 10/12/2007, -4/+1For get what I said, these are stupid. They get in the way of productivity.
  • robdazomba, on 10/12/2007, -5/+1Do you have a hobby?
  • Jammerdelray, on 10/12/2007, -8/+2lol to all those saying apple was invulnerable, pwnd.
  • Fetching more discussions...
    Show 51 - 56 of 56 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.